Security issue : admin/base task can be executed from frontend #27
Description
There is a serious bug in our extensions which can break security of our products.
The issue is Admin task can be executed from front-end.
Like if you use url
www.yoursite.com/index.php?option=com_payplans&view=plan&task=remove&id=1
It may delete plan with id = 1
How to fix:
#1 : In execute function of controller, "authorize" function should be called. In this function it checks that the given task is defined in the respective controller or not. Currently it does check for admin controller only. Need to add support of site controller also.
#2 : All the supported tasks must be defined in the respective controller.
Like Admin Plan controller must have function for : add, edit, save, apply, savennew etc.